X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/d82509cf925a2afa5b09f8a67952d5553101778d..ff2e2d7b53edfec33a77ad1ff2b5a83f02a5be80:/services/api/app/controllers/arvados/v1/users_controller.rb diff --git a/services/api/app/controllers/arvados/v1/users_controller.rb b/services/api/app/controllers/arvados/v1/users_controller.rb index c32ad0b4c9..50ee3b0547 100644 --- a/services/api/app/controllers/arvados/v1/users_controller.rb +++ b/services/api/app/controllers/arvados/v1/users_controller.rb @@ -114,29 +114,39 @@ class Arvados::V1::UsersController < ApplicationController show end - # update profile for the user - def profile - reload_object_before_update - @object.profile params - show - end - protected def self._setup_requires_parameters { - send_notification_email: { type: 'boolean', required: true }, + user: { + type: 'object', required: false + }, + openid_prefix: { + type: 'string', required: false + }, + repo_name: { + type: 'string', required: false + }, + vm_uuid: { + type: 'string', required: false + }, + send_notification_email: { + type: 'boolean', required: false, default: false + }, } end - def find_objects_for_index - if (action_name == "index") and (not @read_users.any? { |u| u.is_admin }) - # Non-admin index returns very basic information about all active users. - # We ignore where and filters params to avoid leaking information. - @where = {} - @filters = [] - @select = ["uuid", "is_active", "email", "first_name", "last_name"] - @objects = model_class.where(is_active: true) + def apply_filters + return super if @read_users.any? &:is_admin + if params[:uuid] != current_user.andand.uuid + # Non-admin index/show returns very basic information about readable users. + safe_attrs = ["uuid", "is_active", "email", "first_name", "last_name"] + if @select + @select = @select & safe_attrs + else + @select = safe_attrs + end + @filters += [['is_active', '=', true]] end super end